diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-12-17 17:44:14 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-12-17 17:44:14 +0100 |
commit | 778336429cc37ad5b0d736336141d09bf227653d (patch) | |
tree | 4aa85bd5d87d5bb5fb2c35ab9313987606abca89 /nixpkgs/nixos | |
parent | 6b8e2555ef013b579cda57025b17d662e0f1fe1f (diff) | |
parent | 7d6929828a2d28eda9d37254ff6be3b6819506ca (diff) | |
download | nixlib-778336429cc37ad5b0d736336141d09bf227653d.tar nixlib-778336429cc37ad5b0d736336141d09bf227653d.tar.gz nixlib-778336429cc37ad5b0d736336141d09bf227653d.tar.bz2 nixlib-778336429cc37ad5b0d736336141d09bf227653d.tar.lz nixlib-778336429cc37ad5b0d736336141d09bf227653d.tar.xz nixlib-778336429cc37ad5b0d736336141d09bf227653d.tar.zst nixlib-778336429cc37ad5b0d736336141d09bf227653d.zip |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos')
-rw-r--r-- | nixpkgs/nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/programs/winbox.nix | 23 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/hardware/udev.nix | 3 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/network-filesystems/drbd.nix | 4 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/network-filesystems/kubo.nix | 2 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/quicktun.nix | 146 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix | 2 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/kubo/default.nix | 4 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/kubo/kubo.nix | 7 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/quicktun.nix | 18 |
11 files changed, 162 insertions, 49 deletions
diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index dc95ff8016b2..a8d55a73a10f 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -278,6 +278,7 @@ ./programs/wayland/waybar.nix ./programs/wayland/wayfire.nix ./programs/weylus.nix + ./programs/winbox.nix ./programs/wireshark.nix ./programs/xastir.nix ./programs/wshowkeys.nix diff --git a/nixpkgs/nixos/modules/programs/winbox.nix b/nixpkgs/nixos/modules/programs/winbox.nix new file mode 100644 index 000000000000..6af299d52009 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/winbox.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.programs.winbox; +in +{ + options.programs.winbox = { + enable = lib.mkEnableOption ("MikroTik Winbox"); + package = lib.mkPackageOption pkgs "winbox" { }; + + openFirewall = lib.mkOption { + description = '' + Whether to open ports for the MikroTik Neighbor Discovery protocol. Required for Winbox neighbor discovery. + ''; + default = false; + type = lib.types.bool; + }; + }; + + config = lib.mkIf cfg.enable { + networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 5678 ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 311f60795bae..670b9087f110 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -112,7 +112,8 @@ let echo "OK" filesToFixup="$(for i in "$out"/*; do - grep -l '\B\(/usr\)\?/s\?bin' "$i" || : + # list all files referring to (/usr)/bin paths, but allow references to /bin/sh. + grep -P -l '\B(?!\/bin\/sh\b)(\/usr)?\/bin(?:\/.*)?' "$i" || : done)" if [ -n "$filesToFixup" ]; then diff --git a/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix b/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix index e74ed391d48e..79a1b768b461 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix @@ -55,8 +55,8 @@ let cfg = config.services.drbd; in wants = [ "systemd-udev.settle.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.drbd}/sbin/drbdadm up all"; - ExecStop = "${pkgs.drbd}/sbin/drbdadm down all"; + ExecStart = "${pkgs.drbd}/bin/drbdadm up all"; + ExecStop = "${pkgs.drbd}/bin/drbdadm down all"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/kubo.nix b/nixpkgs/nixos/modules/services/network-filesystems/kubo.nix index fbf9b32a2b25..e0b3fb0f36a7 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/kubo.nix @@ -361,6 +361,8 @@ in Group = cfg.group; StateDirectory = ""; ReadWritePaths = optionals (!cfg.autoMount) [ "" cfg.dataDir ]; + # Make sure the socket units are started before ipfs.service + Sockets = [ "ipfs-gateway.socket" "ipfs-api.socket" ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/quicktun.nix b/nixpkgs/nixos/modules/services/networking/quicktun.nix index 7aed972adc88..2d44659f2080 100644 --- a/nixpkgs/nixos/modules/services/networking/quicktun.nix +++ b/nixpkgs/nixos/modules/services/networking/quicktun.nix @@ -1,94 +1,153 @@ -{ config, pkgs, lib, ... }: +{ options, config, pkgs, lib, ... }: let + inherit (lib) mkOption mdDoc types mkIf; + opt = options.services.quicktun; cfg = config.services.quicktun; - in - -with lib; - { options = { - services.quicktun = mkOption { default = { }; - description = lib.mdDoc "QuickTun tunnels"; - type = types.attrsOf (types.submodule { + description = mdDoc '' + QuickTun tunnels. + + See <http://wiki.ucis.nl/QuickTun> for more information about available options. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: let + qtcfg = cfg.${name}; + in { options = { tunMode = mkOption { - type = types.int; - default = 0; - example = 1; - description = lib.mdDoc ""; + type = with types; coercedTo bool (b: if b then 1 else 0) (ints.between 0 1); + default = false; + example = true; + description = mdDoc "Whether to operate in tun (IP) or tap (Ethernet) mode."; }; remoteAddress = mkOption { type = types.str; + default = "0.0.0.0"; example = "tunnel.example.com"; - description = lib.mdDoc ""; + description = mdDoc '' + IP address or hostname of the remote end (use `0.0.0.0` for a floating/dynamic remote endpoint). + ''; }; localAddress = mkOption { - type = types.str; + type = with types; nullOr str; + default = null; example = "0.0.0.0"; - description = lib.mdDoc ""; + description = mdDoc "IP address or hostname of the local end."; }; localPort = mkOption { - type = types.int; + type = types.port; default = 2998; - description = lib.mdDoc ""; + description = mdDoc "Local UDP port."; }; remotePort = mkOption { - type = types.int; - default = 2998; - description = lib.mdDoc ""; + type = types.port; + default = qtcfg.localPort; + defaultText = lib.literalExpression "config.services.quicktun.<name>.localPort"; + description = mdDoc " remote UDP port"; }; remoteFloat = mkOption { - type = types.int; - default = 0; - description = lib.mdDoc ""; + type = with types; coercedTo bool (b: if b then 1 else 0) (ints.between 0 1); + default = false; + example = true; + description = mdDoc '' + Whether to allow the remote address and port to change when properly encrypted packets are received. + ''; }; protocol = mkOption { - type = types.str; + type = types.enum [ "raw" "nacl0" "nacltai" "salty" ]; default = "nacltai"; - description = lib.mdDoc ""; + description = mdDoc "Which protocol to use."; }; privateKey = mkOption { - type = types.str; - description = lib.mdDoc ""; + type = with types; nullOr str; + default = null; + description = mdDoc '' + Local secret key in hexadecimal form. + + ::: {.warning} + This option is deprecated. Please use {var}`services.quicktun.<name>.privateKeyFile` instead. + ::: + + ::: {.note} + Not needed when {var}`services.quicktun.<name>.protocol` is set to `raw`. + ::: + ''; + }; + + privateKeyFile = mkOption { + type = with types; nullOr path; + # This is a hack to deprecate `privateKey` without using `mkChangedModuleOption` + default = if qtcfg.privateKey == null then null else pkgs.writeText "quickttun-key-${name}" qtcfg.privateKey; + defaultText = "null"; + description = mdDoc '' + Path to file containing local secret key in binary or hexadecimal form. + + ::: {.note} + Not needed when {var}`services.quicktun.<name>.protocol` is set to `raw`. + ::: + ''; }; publicKey = mkOption { - type = types.str; - description = lib.mdDoc ""; + type = with types; nullOr str; + default = null; + description = mdDoc '' + Remote public key in hexadecimal form. + + ::: {.note} + Not needed when {var}`services.quicktun.<name>.protocol` is set to `raw`. + ::: + ''; }; timeWindow = mkOption { - type = types.int; + type = types.ints.unsigned; default = 5; - description = lib.mdDoc ""; + description = mdDoc '' + Allowed time window for first received packet in seconds (positive number allows packets from history) + ''; }; upScript = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc ""; + type = with types; nullOr lines; + default = null; + description = mdDoc '' + Run specified command or script after the tunnel device has been opened. + ''; }; }; - }); + })); }; - }; - config = mkIf (cfg != []) { - systemd.services = foldr (a: b: a // b) {} ( - mapAttrsToList (name: qtcfg: { + config = { + warnings = lib.pipe cfg [ + (lib.mapAttrsToList (name: value: if value.privateKey != null then name else null)) + (builtins.filter (n: n != null)) + (map (n: " - services.quicktun.${n}.privateKey")) + (services: lib.optional (services != [ ]) '' + `services.quicktun.<name>.privateKey` is deprecated. + Please use `services.quicktun.<name>.privateKeyFile` instead. + + Offending options: + ${lib.concatStringsSep "\n" services} + '') + ]; + + systemd.services = lib.mkMerge ( + lib.mapAttrsToList (name: qtcfg: { "quicktun-${name}" = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -96,14 +155,14 @@ with lib; INTERFACE = name; TUN_MODE = toString qtcfg.tunMode; REMOTE_ADDRESS = qtcfg.remoteAddress; - LOCAL_ADDRESS = qtcfg.localAddress; + LOCAL_ADDRESS = mkIf (qtcfg.localAddress != null) (qtcfg.localAddress); LOCAL_PORT = toString qtcfg.localPort; REMOTE_PORT = toString qtcfg.remotePort; REMOTE_FLOAT = toString qtcfg.remoteFloat; - PRIVATE_KEY = qtcfg.privateKey; - PUBLIC_KEY = qtcfg.publicKey; + PRIVATE_KEY_FILE = mkIf (qtcfg.privateKeyFile != null) qtcfg.privateKeyFile; + PUBLIC_KEY = mkIf (qtcfg.publicKey != null) qtcfg.publicKey; TIME_WINDOW = toString qtcfg.timeWindow; - TUN_UP_SCRIPT = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; + TUN_UP_SCRIPT = mkIf (qtcfg.upScript != null) (pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript); SUID = "nobody"; }; serviceConfig = { @@ -114,5 +173,4 @@ with lib; }) cfg ); }; - } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index 027479b1ce09..e0227f93e2f2 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -295,7 +295,7 @@ in ++ lib.optional config.powerManagement.enable powerdevil ++ lib.optional config.services.colord.enable pkgs.colord-kde ++ lib.optional config.services.hardware.bolt.enable pkgs.plasma5Packages.plasma-thunderbolt - ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ] + ++ lib.optional config.services.samba.enable kdenetwork-filesharing ++ lib.optional config.services.xserver.wacom.enable pkgs.wacomtablet ++ lib.optional config.services.flatpak.enable flatpak-kcm; diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index ab07428cf055..c9234fc52536 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -717,6 +717,7 @@ in { qgis-ltr = handleTest ./qgis.nix { qgisPackage = pkgs.qgis-ltr; }; qownnotes = handleTest ./qownnotes.nix {}; quake3 = handleTest ./quake3.nix {}; + quicktun = handleTest ./quicktun.nix {}; quorum = handleTest ./quorum.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; diff --git a/nixpkgs/nixos/tests/kubo/default.nix b/nixpkgs/nixos/tests/kubo/default.nix index 629922fc366d..d8c0c69dc1fb 100644 --- a/nixpkgs/nixos/tests/kubo/default.nix +++ b/nixpkgs/nixos/tests/kubo/default.nix @@ -1,5 +1,7 @@ { recurseIntoAttrs, runTest }: recurseIntoAttrs { kubo = runTest ./kubo.nix; - kubo-fuse = runTest ./kubo-fuse.nix; + # The FUSE functionality is completely broken since Kubo v0.24.0 + # See https://github.com/ipfs/kubo/issues/10242 + # kubo-fuse = runTest ./kubo-fuse.nix; } diff --git a/nixpkgs/nixos/tests/kubo/kubo.nix b/nixpkgs/nixos/tests/kubo/kubo.nix index 7965ad277385..b8222c652b33 100644 --- a/nixpkgs/nixos/tests/kubo/kubo.nix +++ b/nixpkgs/nixos/tests/kubo/kubo.nix @@ -46,6 +46,13 @@ f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2" ) + machine.stop_job("ipfs") + + with subtest("Socket activation for the Gateway"): + machine.succeed( + f"curl 'http://127.0.0.1:8080/ipfs/{ipfs_hash.strip()}' | grep fnord2" + ) + with subtest("Setting dataDir works properly with the hardened systemd unit"): machine.succeed("test -e /mnt/ipfs/config") machine.succeed("test ! -e /var/lib/ipfs/") diff --git a/nixpkgs/nixos/tests/quicktun.nix b/nixpkgs/nixos/tests/quicktun.nix new file mode 100644 index 000000000000..a5a632457117 --- /dev/null +++ b/nixpkgs/nixos/tests/quicktun.nix @@ -0,0 +1,18 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +{ + name = "quicktun"; + meta.maintainers = with lib.maintainers; [ h7x4 ]; + + nodes = { + machine = { ... }: { + services.quicktun."test-tunnel" = { + protocol = "raw"; + }; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("quicktun-test-tunnel.service") + ''; +}) |